Providing Kerberos Credentials using a Keytab File

Configure Kerberos for the DataStax Enterprise (DSE) clients, including dsetool, DSE FS, DSE Graph, and DSE Spark.

  1. Create the keytab file with kadmin:

    Start kadmin:

    kadmin

    Create file:

    ktadd -k <file_name> <principal_name>

  2. Log in using kinit:

    kinit -k -t <file_name> <principal_name>

  3. Create a Java Authentication and Authorization Service (JAAS) configuration file for the DSE Client:

    1. Create a file named .java.login.config and put it in the home directory.

    2. Define the variables required to use a keytab file:

      DseClient {
    com.sun.security.auth.module.Krb5LoginModule required
    refreshKrb5Config=true
    useKeyTab=true
    keyTab="<file_name>"
    principal="<principal_name>";
};

      where

      keyTab

      Absolute path to the keytab file. For example, /home/adam/krb5_opsc.keytab.

      principal

      The fully qualified principal name. For example, dse_admin/dse1.lan@EXAMPLE.COM.

    For more information on the available settings see the documentation for com.sun.security.auth.module.Krb5LoginModule.

  4. Optional: If the JAAS configuration is not in the default location or has the default name, customize the location using one of the following methods:

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax, an IBM Company | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com